hello, I've written a hook with a different approach. It is quite simple (and works only on my machine :-) ).
To shortly summarize it: * don't put gpgkeys or gpghome-directories for local partitions into the initrd * provide a crypttab like file, since losetup and mount of loop-aes-utils can use fstab, a special fstab could be used only for the initramfs boot phase, e.g. /etc/loopaes.fstab * create all loop devices found in loopaes.fstab, not only the rootfs as a result the normal fstab looks like /dev/loop3 /home ext2 defaults 0 2 so that you can easily fsck them. the counterpart in loopaes.fstab would look like /dev/sda3 /home ext2 defaults,loop=/dev/loop3,encryption=AES256,gpgkey=foo.gpg,gpghome=/ 0 0 so that during initrd boot phase a simple "losetup -F /dev/loop3" does the job * use encrypted external media, the key for the media should be in the initrd that external media contains all the necessary files (e.g. plain passwords for using fd) A typical initrd bootphase would be - mount encrypted sd-card with gpgkey which is in initrd - setup loop devices with keys from sd-card - umount sd-card - don't handle encrypted swap or tmp Attached are some example files. Regards, Serkan
examples.tar.bz2
Description: application/bzip
